The AAduino is an wireless Arduino clone the size of an AA battery with Keystone battery terminals rotated 180° to act as positive and negative terminals. It is meant to go inside a 3xAA battery holder creating a very small wireless node.

ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1

We discovered several methods used to generate random numbers in ZF1 that
potentially used insufficient entropy. These random number generators are used
in the following method calls:

Zend_Ldap_Attribute::createPassword

Zend_Form_Element_Hash::_generateHash

Zend_Gdata_HttpClient::filterHttpRequest

Zend_Filter_Encrypt_Mcrypt::_srand

Zend_OpenId::randomBytes

In each case, the methods were using rand() or mt_rand(), neither of which
can generate cryptographically secure values. This could potentially lead to
information disclosure should an attacker be able to brute force the random
number generation.

Action Taken

We replaced the usage of rand() and mt_rand() with the random generators of
ZF1 implemented in Zend_Crypt_Math().

Moreover, we removed the usage of openssl_random_pseudo_bytes() functions inZend_Crypt_Math::randBytes(). This removal is not a BC break for Linux users
thanks to the usage of /dev/urandom as an entropy source. For Windows users,
this can be a BC break if the Mcrypt extension is not enabled.

The following releases contain the fixes:

Zend Framework 1.12.18

Recommendations

If you are using an affected version of PHP, we highly recommend upgrading
immediately to Zend Framework 1.12.18.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Brian Engert of Soliant Consulting, who
discovered, reported, and proposed a patch for the issue;

Enrico Zimuel, who tested the patch and added the patch
for the OpenSSL usage removal.